audit trail for openidfed

src/main/java/it/smartcommunitylab/aac/audit/model/ExtendedAuditEvent.java

@@ -60,7 +60,4 @@ public Map<String, Object> getClaims() {
     public static <E extends ApplicationEvent> ExtendedAuditEvent<E> from(AuditEvent event) {
         return new ExtendedAuditEvent<>(event.getTimestamp(), event.getPrincipal(), event.getType(), event.getData());
     }
-    // public static <K3> Builder<K3> start(Class<K3> cls) {
-    //     return new Builder<K3>();
-    // }
 }

src/main/java/it/smartcommunitylab/aac/oidc/events/OAuth2UserResponseEvent.java

@@ -0,0 +1,32 @@
+/**
+ * Copyright 2024 the original author or authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package it.smartcommunitylab.aac.oidc.events;
+
+import java.util.Map;
+import org.springframework.util.Assert;
+
+public class OAuth2UserResponseEvent extends OAuth2MessageEvent {
+
+    public OAuth2UserResponseEvent(String authority, String provider, String realm, Map<String, Object> response) {
+        super(authority, provider, realm, response);
+        Assert.notNull(response, "response can not be null");
+    }
+
+    public Map<String, Object> getUserResponse() {
+        return (Map<String, Object>) super.getSource();
+    }
+}

src/main/java/it/smartcommunitylab/aac/openidfed/audit/OAuth2UserRequestMixins.java

@@ -0,0 +1,22 @@
+/**
+ * Copyright 2024 the original author or authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package it.smartcommunitylab.aac.openidfed.audit;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+
+@JsonIgnoreProperties({ "clientRegistration" })
+public interface OAuth2UserRequestMixins {}

src/main/java/it/smartcommunitylab/aac/openidfed/audit/OpenIdFedAuditEventListener.java

@@ -24,6 +24,7 @@
 import it.smartcommunitylab.aac.audit.store.AuditApplicationEventMixIns;
 import it.smartcommunitylab.aac.core.provider.ProviderConfigRepository;
 import it.smartcommunitylab.aac.oidc.events.OAuth2MessageEvent;
+import it.smartcommunitylab.aac.openidfed.events.OpenIdFedMessageEvent;
 import it.smartcommunitylab.aac.openidfed.provider.OpenIdFedIdentityProviderConfig;
 import java.time.Instant;
 import java.util.HashMap;
@@ -41,7 +42,7 @@
 
 @Component
 public class OpenIdFedAuditEventListener
-    implements ApplicationListener<OAuth2MessageEvent>, ApplicationEventPublisherAware {
+    implements ApplicationListener<OpenIdFedMessageEvent>, ApplicationEventPublisherAware {
 
     private final Logger logger = LoggerFactory.getLogger(getClass());
 
@@ -72,13 +73,19 @@ public void setApplicationEventPublisher(ApplicationEventPublisher publisher) {
     }
 
     @Override
-    public void onApplicationEvent(OAuth2MessageEvent event) {
+    public void onApplicationEvent(OpenIdFedMessageEvent event) {
         String authority = event.getAuthority();
         String provider = event.getProvider();
         String realm = event.getRealm();
-        String tx = event.getTx();
+        String trustAnchor = event.getTrustAnchor();
+        String entityId = event.getEntityId();
 
-        logger.debug("receive openidfed message event for {}:{} key {}", authority, provider, String.valueOf(tx));
+        logger.debug(
+            "receive openidfed message event for {}:{} entity {}",
+            authority,
+            provider,
+            String.valueOf(entityId)
+        );
 
         if (registrationRepository == null || publisher == null) {
             logger.debug("invalid configuration, skip event");
@@ -102,8 +109,11 @@ public void onApplicationEvent(OAuth2MessageEvent event) {
         data.put("provider", provider);
         data.put("realm", realm);
 
-        if (StringUtils.hasText(tx)) {
-            data.put("tx", tx);
+        if (StringUtils.hasText(entityId)) {
+            data.put("entityId", entityId);
+        }
+        if (StringUtils.hasText(trustAnchor)) {
+            data.put("trustAnchor", trustAnchor);
         }
 
         if (SystemKeys.EVENTS_LEVEL_FULL.equals(level)) {

src/main/java/it/smartcommunitylab/aac/openidfed/audit/OpenIdFedOAuth2AuditEventListener.java

@@ -0,0 +1,130 @@
+/**
+ * Copyright 2024 the original author or authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package it.smartcommunitylab.aac.openidfed.audit;
+
+import com.fasterxml.jackson.annotation.JsonInclude.Include;
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import it.smartcommunitylab.aac.SystemKeys;
+import it.smartcommunitylab.aac.audit.store.AuditApplicationEventMixIns;
+import it.smartcommunitylab.aac.core.provider.ProviderConfigRepository;
+import it.smartcommunitylab.aac.oidc.events.OAuth2MessageEvent;
+import it.smartcommunitylab.aac.openidfed.provider.OpenIdFedIdentityProviderConfig;
+import java.time.Instant;
+import java.util.HashMap;
+import java.util.Map;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.actuate.audit.listener.AuditApplicationEvent;
+import org.springframework.context.ApplicationEvent;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
+import org.springframework.context.ApplicationListener;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
+import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
+
+@Component
+public class OpenIdFedOAuth2AuditEventListener
+    implements ApplicationListener<OAuth2MessageEvent>, ApplicationEventPublisherAware {
+
+    private final Logger logger = LoggerFactory.getLogger(getClass());
+
+    private static final String OIDC_MESSAGE = "OIDC_MESSAGE";
+
+    private final ObjectMapper mapper = new ObjectMapper()
+        .registerModule(new JavaTimeModule())
+        //include only non-null fields
+        .setSerializationInclusion(Include.NON_NULL)
+        //add mixin for including typeInfo in events
+        .addMixIn(ApplicationEvent.class, AuditApplicationEventMixIns.class)
+        .addMixIn(OAuth2UserRequest.class, OAuth2UserRequestMixins.class);
+    private final TypeReference<HashMap<String, Object>> typeRef = new TypeReference<HashMap<String, Object>>() {};
+
+    private ApplicationEventPublisher publisher;
+
+    private ProviderConfigRepository<OpenIdFedIdentityProviderConfig> registrationRepository;
+
+    @Autowired
+    public void setRegistrationRepository(
+        ProviderConfigRepository<OpenIdFedIdentityProviderConfig> registrationRepository
+    ) {
+        this.registrationRepository = registrationRepository;
+    }
+
+    @Override
+    public void setApplicationEventPublisher(ApplicationEventPublisher publisher) {
+        this.publisher = publisher;
+    }
+
+    @Override
+    public void onApplicationEvent(OAuth2MessageEvent event) {
+        String authority = event.getAuthority();
+        String provider = event.getProvider();
+        String realm = event.getRealm();
+        String tx = event.getTx();
+
+        logger.debug("receive openidfed message event for {}:{} key {}", authority, provider, String.valueOf(tx));
+
+        if (registrationRepository == null || publisher == null) {
+            logger.debug("invalid configuration, skip event");
+            return;
+        }
+
+        OpenIdFedIdentityProviderConfig config = registrationRepository.findByProviderId(provider);
+        if (config == null) {
+            logger.debug("missing provider configuration, skip event");
+            return;
+        }
+
+        String level = config.getSettingsMap().getEvents();
+        if (SystemKeys.EVENTS_LEVEL_NONE.equals(level)) {
+            logger.debug("provider configuration level none, skip event");
+            return;
+        }
+
+        Map<String, Object> data = new HashMap<>();
+        data.put("authority", authority);
+        data.put("provider", provider);
+        data.put("realm", realm);
+
+        if (StringUtils.hasText(tx)) {
+            data.put("tx", tx);
+        }
+
+        if (SystemKeys.EVENTS_LEVEL_FULL.equals(level)) {
+            //serialize to avoid exposing object to audit
+            data.put("event", mapper.convertValue(event, typeRef));
+        }
+
+        AuditApplicationEvent auditEvent = new AuditApplicationEvent(
+            Instant.ofEpochMilli(event.getTimestamp()),
+            provider,
+            OIDC_MESSAGE,
+            data
+        );
+
+        logger.debug("publish openid message event for audit");
+        if (logger.isTraceEnabled()) {
+            logger.trace("audit event: {}", auditEvent);
+        }
+
+        publisher.publishEvent(auditEvent);
+    }
+}

src/main/java/it/smartcommunitylab/aac/openidfed/auth/OpenIdFedUserRequestEntityConverter.java

@@ -0,0 +1,61 @@
+/**
+ * Copyright 2024 the original author or authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package it.smartcommunitylab.aac.openidfed.auth;
+
+import it.smartcommunitylab.aac.oidc.events.OAuth2UserRequestEvent;
+import it.smartcommunitylab.aac.openidfed.provider.OpenIdFedIdentityProviderConfig;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
+import org.springframework.http.RequestEntity;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequestEntityConverter;
+import org.springframework.util.Assert;
+
+public class OpenIdFedUserRequestEntityConverter
+    extends OAuth2UserRequestEntityConverter
+    implements ApplicationEventPublisherAware {
+
+    private final OpenIdFedIdentityProviderConfig config;
+
+    private ApplicationEventPublisher eventPublisher;
+
+    public OpenIdFedUserRequestEntityConverter(OpenIdFedIdentityProviderConfig config) {
+        Assert.notNull(config, "provider config is required");
+        this.config = config;
+    }
+
+    @Override
+    public RequestEntity<?> convert(OAuth2UserRequest userRequest) {
+        if (eventPublisher != null) {
+            OAuth2UserRequestEvent event = new OAuth2UserRequestEvent(
+                config.getAuthority(),
+                config.getProvider(),
+                config.getRealm(),
+                userRequest
+            );
+
+            eventPublisher.publishEvent(event);
+        }
+
+        return super.convert(userRequest);
+    }
+
+    @Override
+    public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) {
+        this.eventPublisher = eventPublisher;
+    }
+}

src/main/java/it/smartcommunitylab/aac/openidfed/events/OpenIdFedMessageEvent.java

@@ -0,0 +1,78 @@
+/**
+ * Copyright 2024 the original author or authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package it.smartcommunitylab.aac.openidfed.events;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonInclude.Include;
+import it.smartcommunitylab.aac.events.ProviderEmittedEvent;
+import org.springframework.context.ApplicationEvent;
+import org.springframework.util.Assert;
+
+public abstract class OpenIdFedMessageEvent extends ApplicationEvent implements ProviderEmittedEvent {
+
+    private final String authority;
+    private final String provider;
+    private final String realm;
+
+    private String trustAnchor;
+    private String entityId;
+
+    protected OpenIdFedMessageEvent(String authority, String provider, String realm, Object source) {
+        super(source);
+        Assert.hasText(provider, "provider identifier can not be null or blank");
+        this.authority = authority;
+        this.provider = provider;
+        this.realm = realm;
+    }
+
+    public String getAuthority() {
+        return authority;
+    }
+
+    public String getProvider() {
+        return provider;
+    }
+
+    public String getRealm() {
+        return realm;
+    }
+
+    @JsonInclude(Include.NON_NULL)
+    public String getTrustAnchor() {
+        return trustAnchor;
+    }
+
+    public void setTrustAnchor(String trustAnchor) {
+        this.trustAnchor = trustAnchor;
+    }
+
+    @JsonInclude(Include.NON_NULL)
+    public String getEntityId() {
+        return entityId;
+    }
+
+    public void setEntityId(String entityId) {
+        this.entityId = entityId;
+    }
+
+    @JsonIgnore
+    @Override
+    public Object getSource() {
+        return super.getSource();
+    }
+}